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[57] ABSTRACT 


A source-level run-time software code debugging in- 
strument (10) includes a target access probe (“TAP”) 
(12) and a communications adapter (“COMDAP”) (14) 
that process emulation commands provided by source- 
level debugging software operating on a host computer. 
The TAP includes a TAP CPU (28) that receives target 
CPU input signals and delivers target CPU output sig- 
nals for controlling the execution of software code by 
the target circuit in accordance with command signals 
provided by the host computer. The TAP also includes 
a programmable logic cell array (24) and a RAM (34). 
The TAP logic cell array routes command and data 
signals to and from the TAP CPU, and the RAM stores 
an in-circuit emulation (“ICE”) program used by the 
TAP to operate the target circuit. The COMDAP is 
physically separate from the TAP and provides an in- 
terface between the host computer and the TAP. The 
COMDAP includes a programmable logic cell array 
(44) and an EPROM (46). The COMDAP logic cell 
array routes command and data signals to and from the 
COMDAP, and the EPROM stores the commands for 
configuring the signal paths within the TAP and COM- 
DAP logic cell arrays and stores the TAP ICE pro- 
gram. A flat cable assembly (16) provides a high-speed 
signal communications link between the TAP and the 
COMDAP. The TAP uses certain microprocessor sig- 
nal features and source-level debugging software that 
runs on the host computer to provide a software engi- 
neer with a fully transparent window into the internal 
functioning of the TAP CPU while executing code in 
the target circuit environment. 


32 Claims, 8 Drawing Sheets 
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SOURCE-LEVEL IN-CIRCUIT SOFTWARE CODE 
DEBUGGING INSTRUMENT 


TECHNICAL FIELD 


The present invention relates to techniques for cor- 
recting or “debugging” computer software code and, in 
particular, to a source-level run-time software code 
debugging instrument using microprocessor emulation 
technology. 


BACKGROUND OF THE INVENTION 


There are currently two conventional techniques 
used by programmers to debug computer software 
code. These techniques include program monitors and 
microprocessor emulators. 

A program monitor is intrusive software code located 
in target memory to debug computer programs. The 
program monitor operates in conjunction with and 
monitors the operation of a main computer program 
that controls the functions of a microprocessor-based 
target circuit. The program monitor code is intrusive in 
that it is linked to the main program code, both of which 
are either downloaded into memory sites provided in 
the target circuit or stored in a read only memory 
(ROM) used by the programmer. The use of a monitor 
program requires that a universal asynchronous receiv- 
er-transmitter or other communication hardware be 
provided in the target circuit so that the monitor can 
communicate apart from the main program to the pro- 
grammer. 

The use of program monitors is advantageous be- 
cause they are relatively inexpensive and find the ma- 
jority of errors or “bugs” located in the main program. 
One drawback of program monitors is that they require 
the use of resources in the target circuit and typically 
are ineffective in detecting more difficult problems 
present in the associated program code. 

An emulator is a nonintrusive software debugging 
tool that uses external hardware to provide transparent 
operation of a microprocessor embedded in a target 
circuit. The emulator microprocessor substitutes for the 
target microprocessor during target circuit testing and 
execution, and the emulator traces all activity that oc- 
curs at the target microprocessor input and output ter- 
minals. An emulator provides a complex breakpoint 
system that monitors the target microprocessor activity 
and stops the microprocessor operations at predeter- 
mined points for analysis of certain target circuit sig- 
nals. 

An emulator is designed for use primarily in full sys- 
tem integration and for solving real-time problems. A 
programmer using an emulator is able to replace the 
programmer’s ancillary ROM with an overlay random 
access memory (RAM) located in the emulator. The 
overlay RAM allows the programmer to debug the 
program code even when the target circuit is not com- 
plete physically and thereby shortens the development 
time of microprocessor-embedded circuits. Certain 
types of emulators do not require the use of the target 
resources; therefore, such emulators can be viewed as 
nonintrusive code debugging instruments. 

An emulator addresses the needs of the integration 
phase and time-dependent problems in a target circuit 
by using a trace feature, complex breakpoint systems, 
and an overlay memory. Because each of these features 
is expensive but critical for full system integration, such 
features are not necessary for run-time debugging. 
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2 
Thus, one major drawback of emulators is that they are 
relatively expensive, thereby making them inaccessible 
to a significant percentage of the growing number of 
software engineers participating in microprocessor- 
based circuit design tasks. 


SUMMARY OF THE INVENTION 


An object of the present invention is, therefore, to 
provide cost-effective early access to a microprocessor- 
embedded target computer system for software debug- 
ging by a programmer. 

Another object of the invention is to provide a soft- 
ware code debugging instrument that allows the short- 
ening of development time for microprocessor-embed- 
ded target computer systems. 

A further object of the invention. is to address the 
increasing ratio of software engineers to hardware engi- 
neers and to shorten the time-to-market by cost-effec- 
tively providing each member of a software design team 
with a run-time code debugging instrument. 

Yet another object of the invention is to provide a 
cost-effective transparent run-time instrument that need 
not require the use of target resources to function. 

The present invention is a source-level run-time soft- 
ware code debugging instrument that uses emulation 
technology. The invention fills a void in the micro- 
processor-based circuit development cycle because it is 
a cost-effective, transparent run-time software debug- 
ging instrument that need not use the target resources 
required by a monitor and does not provide the com- 
plex, expensive debugging features present in an emula- 
tor. 

A preferred embodiment of the present invention 
includes a target access probe (““TAP”’) subsystem and a 
communications adapter (“COMDAP”’) subsystem that 
process emulation commands provided by a host analy- 
sis code source such as source-level debugging software 
operating on a host computer. The TAP includes a 
microprocessor or central processing unit (“CPU”) that 
receives target CPU input signals and delivers target 
CPU output signals for controlling the execution of 
software code by the target circuit in accordance with 
command signals provided by the host computer. The 
command signals from the host computer formulate 
operating instructions that the TAP CPU receives and 
decodes to cause the target circuit to produce a desired 
response. The TAP also includes a first programmable 
logic cell array and a RAM. The first programmable 
logic cell array routes command and data signals to and 
from the TAP CPU along signal paths established to 
assemble such signals in a digital word format that is 
compatible to the specific type of TAP CPU in use. The 
RAM stores an in-circuit emulation (“ICE”) program 
used by the TAP to operate the target circuit whenever 
the TAP assumes target circuit control. 

The COMDAP, which is physically separate from 
the TAP, provides an interface between the host com- 
puter and the TAP. The COMDAP includes a second 
programmable logic cell array and an erasable program- 
mable ROM (“EPROM”). The second programmable 
logic cell array routes command and data signals to and 
from the COMDAP along signal paths established to 
assemble such signals in a digital word format that is 
compatible with the specific type of host analysis code 
source and TAP in use. The EPROM stores the com- 
mands for configuring the signal paths within the first 
and second programmable logic cell arrays and stores 
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3 
the TAP ICE program, which is transferred to the TAP 
RAM upon initial application of electrical power to the 
debugging instrument. 

A flat cable assembly provides the necessary signal 
communications link between the TAP and the COM- 
DAP. The use of the EPROM in conjunction with the 
first and second programmable logic cell arrays in the 
TAP and COMDAP, respectively, allows a software 
engineer to provide software code that configures the 
TAP for a particular type of microprocessor and the 
COMDAP for a particular type of host analysis code 
source. 

The present invention differs from a software moni- 
tor in that the former monitors and controls the execu- 
tion of code in the target circuit without requiring prior 
code modification or without using target memory or 
input-output circuitry. The present invention includes 
RAM sites on the TAP and EPROM sites on the COM- 
DAP, thereby eliminating the use of target RAM or 
ROM space. Equipping the debugging instrument with 
the COMDAP eliminates the need for use of a target 
universal asynchronous receiver-transmitter or other 
communication hardware. 

Because of certain microprocessor signal features 
used by the TAP, source-level debugging software that 
runs in the host computer provides the software engi- 
neer with a fully transparent window into the internal 
functioning of the TAP CPU while executing code in 
the target circuit environment. This window into the 
TAP CPU combined with powerful source-level de- 
bugging software provides a software engineer with the 
capability of solving run-time problems. A preferred 
source-level debugging software package facilitates 
ready access to data structures, arrays, dynamic vari- 
ables, and data breakpoints. The software engineer can 
read data from and write data to specific target loca- 
tions as well as transmit register states and other data to 
the debugging program for display to the software engi- 
neer. The software engineer can also download and 
upload code, execute code starting at a preset value, and 
stop code at a preset value. A software engineer may 
use target interrupt resources depending on target cir- 
cuit CPU being emulated. 

Additional objects and advantages of the present 
invention will be apparent from the detailed description 
of a preferred embodiment thereof, which proceeds 
with reference to the accompanying drawings. 


BRIEF DESCRIPTION OF THE DRAWINGS 


FIG. 1 is a pictorial view of the software code debug- 
ging instrument of the present invention, which in- 
cludes target access probe (“TAP”) and communica- 
tions adapter (“COMDAP”’) subsystems connected by a 
flat cable assembly. 

FIG. 2 is an enlarged view of the lower side of the 
TAP, the upper side of which is shown in FIG. 1. 

FIG. 3 is a functional block diagram of the TAP 
subsystem of the present invention. 

FIG. 4 is a functional block diagram of the COM- 
DAP subsystem of the present invention. 

FIG. 5 is a block diagram showing the functions 
implemented in software used by the present invention 
to perform microprocessor-based emulation. 

FIG. 6 is a flow diagram showing the processing 
steps for initially configuring the TAP and COMDAP 
for operation. 

FIG. 7 shows an address map for the RAM included 
as part of the TAP. 
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4 
FIG. 8 is a diagram showing certain areas of the 
topology of the Intel® 80386 microprocessor chip 
where wire placement is required to bond out three 
signal features used by a preferred embodiment of the 
present invention. 


DETAILED DESCRIPTION OF PREFERRED 
EMBODIMENT 


FIG. 1 is a pictorial view of a preferred embodiment 
of software code debugging instrument 10 of the pres- 
ent invention. Debugging instrument 10 includes a tar- 
get access probe (““TAP”’) subsystem 12 and a communi- 
cations adapter (“COMDAP?”) subsystem 14 intercon- 
nected by a detachable flat cable assembly 16. COM- 
DAP 14 receives command signals transmitted on a 
RS-232 serial communications link 18 from a host analy- 
sis code source or host computer (not shown) on which 
a fully integrated windowed debugging software pro- 
gram operates. Communications link 18 is preferably of 
the RS-232 type because standard computer terminals 
use a communications protocol defined by EIA stan- 
dard RS-232 to send and receive data from a control 
computer. COMDAP 14 conditions the command sig- 
nals for delivery through the conductors of cable assem- 
bly 16 to TAP 12. 

TAP 12 includes a printed circuit board 20 that 
carries on its upper surface 22 a first programmable 
logic cell array 24 and a first socket 26 that receives the 
lead pins of a microprocessor or central processing unit 
(“CPU”) 28. Socket 26 is affixed to conductive regions 
of circuit board 20 by solder pads associated with differ- 
ent ones of the microprocessor lead pins. Printed circuit 
board 20 carries on its lower surface 30 a second socket 
32 having multiple downwardly depending pins 33 
(FIG. 2) that connect by electrically conductive paths 
through circuit board 20 to the solder pads of socket 26 
and can be inserted into a female target CPU socket on 
the target circuit board (not shown). Printed circuit 
board 20 also carries on its lower surface 30 a random 
access memory (“RAM”) 34. Programmable logic cell 
array 24 establishes signal flow paths necessary to pro- 
vide data and address signals in the proper digital word 
format to CPU 28 and RAM 34. CPU 28 substitutes for 
and plugs into the socket receptacles dedicated for a 
CPU on the target circuit board, and RAM 34 functions 
as the in-circuit emulation (“ICE”) program memory 
for TAP 12 when it takes control of target circuit opera- 
tion. 

COMDATP 14 includes a printed circuit board 40 that 
carries on its upper surface 42 a second programmable 
logic cell array 44 and an erasable programmable read 
only memory (“EPROM”) 46. COMDAP 14 also in- 
cludes a 30 MHz crystal oscillator 48 and associated 
frequency divider circuitry 50 that provide clock sig- 
nals to programmable logic cell arrays 24 and 44 to 
enable high-speed serial command and data transfer 
between TAP 12 and COMDAP 14 through cable as- 
sembly 16. 

TAP 12 and COMDAP 14 are preferably physically 
separate so that TAP 12 can be used with COMDAPs 
14 adapted for use with host computers of different 
types and so that COMDAP 14 can be used with TAPs 
12 adapted for use with CPUs 28 of different types. It 
will be appreciated, however, that TAP 12 and COM. 
DAP 14 need not reside on separate printed circuit 
boards but may share a common printed circuit board, 
if desired. 
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FIG. 3 is a functional block diagram of TAP 12. With 
reference to FIG. 3, first programmable logic cell array 
24 of TAP 12 is configured to have a data receive shift 
register 60 and a data transmit shift register 62 that 
respectively receive serial digital commands from and 
deliver serial digital data to COMDAP 14 through 
cable assembly 16. One commercially available device 
suitable for use as logic cell array 24 is a part number 
XC 3042 logic cell array manufactured by XILINX, 
Inc., San Jose, Calif. Logic cell array 24 is also config- 
ured to have a pair of first-in, first-out (“FIFO”) buffer 
registers 64 and 66, the former receiving serial digital 
commands from the output of shift register 60 and the 
latter delivering serial digital commands or data to the 
input of shift register 62. Logic cell array 24 is config- 
ured as described above in accordance with commands 
stored in EPROM 46 of COMDAP 14 (FIG. 1). Shift 
registers 60 and 62 assemble the serial digital commands 
and data received from or delivered to the COMDAP. 

An output port register 68 of logic cell array 24 re- 
ceives the byte wide digital words from FIFO register 
64 and provides them as address words and data words 
of the required length and in the required format for use 
by CPU 28. These address and data words appear on 
separate sets of conductors to the respective address bus 
conductors 70 and data bus conductors 72 of CPU 28. 
An input port register 74 of logic cell array 24 and 
RAM 34 receive parallel digital address words and data 
words from the respective address bus conductors 70 
and data bus conductors 72 of CPU 28. Input port 74 
reconfigures the address and data information into byte 
wide format and provides them to FIFO register 66 for 
delivery to shift register 62 and COMDAP 14. RAM 34 
stores the software code representing the ICE program 
for TAP 12 to perform the debugging function. The 
contents of RAM 34 are loaded upon initial application 
of power to TAP 12 as will be described later below. 
The address bus conductors 70 and data bus conductors 
72 are connected to the appropriate address input con- 
ductors and data output conductors of RAM 34 to ef- 
fect operational control of CPU 28 in response to com- 
mand signals that formulate operating instructions pro- 
vided by the host computer to debugging instrument 10. 

Shift registers 60 and 62 of logic cell array 24 provide 
digital words to CPU 28 in accordance with the instruc- 
tions delivered to instrument 10 from the host computer 
debugging software and provide address words and 
data words indicative of the results produced by the 
target software for analysis by the software in the host 
computer in response to earlier provided instructions. 
The ICE program software inscribed in RAM 34 effects 
the proper execution of the instructions delivered to 
debugging instrument 10 from the host computer. 

FIG. 3 shows TAP 12 providing a BREAK signal on 
a conductor 76 and a RESET signal on a conductor 78 
to respective BREAK and RESET inputs of CPU 28. 
The BREAK signal indicates the receipt by FIFO reg- 
ister 64 of any command from the host computer to stop 
the execution of the target program by CPU 28. The 
RESET signal is developed by a RESET circuit 80 in 
response to a RESET signal generated by a software 
engineer activating a RESET button 82 (FIG. 1) to 
reset the target program to its starting address. The 
BREAK and RESET signals affect the operation of 
CPU 28 in a manner that is described in detail below. 

FIG. 4 is a functional block diagram of COMDAP 
14. With reference to FIG. 4, second programmable 
logic cell array 44 of COMDAP 14 is configured to 
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have a data receive shift register 90 and a data transmit 
shift register 92 that respectively receive serial digital 
commands from and deliver serial digital data to the 
host computer through communications link 18. Logic 
cell array 44 is of a similar type to that of logic cell array 
24. A pair of voltage level converters 94 and 96 condi- 
tion the digital signals respectively received from and 
transmitted to the host computer. 

Logic cell array 44 is also configured to have a pair of 
FIFO buffer registers 98 and 100, the former receiving 
byte wide digital commands from the output of shift 
register 90 and the latter delivering byte wide digital 
data to the input of shift register 92. Logic cell array 44 
is configured as described above in accordance with 
commands stored in EPROM 46 of COMDAP 14 
(FIG. 1). FIFO register 98 temporarily stores the byte 
wide digital commands received from shift register 90 
at a relatively low data rate for delivery to TAP 12 
through cable assembly 16 at a relatively high data rate. 
FIFO register 92 temporarily stores the byte wide digi- 
tal data received from TAP 12 at a high data rate for 
delivery to shift register 92 and transmission to the host 
computer through communications link 18 at a rela- 
tively low data rate. 

An output port register 102 of logic cell array 44 
receives byte wide digital commands from FIFO regis- 
ter 98 and delivers them in serial format at a high data 
rate on a conductor 104 of cable assembly 16 to data 
receive shift register 60 of TAP 12. An input port regis- 
ter 106 of logic cell array 44 receives serial digital data 
from data transmit shift register 62 of TAP 12 at a high 
data rate on a conductor 108 of cable assembly 16. 

The digital commands and data are transmitted in 
serial format between TAP 12 and COMDAP 14 
through the conductors of cable assembly 16 at a 10 
Mbps rate. This is accomplished by 30 MHz oscillator 
48 and a divide-by-three counter 110 connected to the 
output 112 of oscillator 48, which together develop a 10 
MHz clock signal that is delivered to output port regis- 
ter 102 and input port register 106. The 10 MHz clock 
signal is also provided on a conductor 114 of cable 
assembly 16 for delivery to data receive shift register 60 
and data transmit shift register 62 of TAP 12. Output 
112 of 30 MHz oscillator 48 is also applied to a program- 
mable frequency divider 116 that provides on its output 
118 a baud rate clock signal, which is applied to the 
clock inputs of receive shift register 90 and transmit 
shift register 92 that, respectively, receive serial com- 
mands from and provide serial data to the host com- 
puter. The baud rate clock enables COMDAP 14 to 
Teceive command signals from and deliver data signals 
to the host computer at a rate that differs from the 10 
Mbps data transfer rate between TAP 12 and COM- 
DAP 14. A manually programmable baud rate switch 
120 facilitates the selection of a baud rate that is appro- 
priate to the capabilities of the type of host computer 
with which COMDAP 14 communicates. A 19.2K 
baud rate is appropriate for a PC type host computer. 

The transmission of command and data signals among 
the host computer, TAP 12, and COMDAP 14 takes 
place at different rates. Moreover, commands are as- 
sembled in byte wide digital format in TAP 12 for trans- 
mission to and from CPU 28. To accommodate the 
resulting timing differences, coordination of command 
and data transfer among the host computer, TAP 12, 
and COMDAP 14 is accomplished by the use of hand- 
shake techniques. 
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FIFO register 98 provides on an output terminal 122 
through a voltage level converter 124 a RECEIVE 
HANDSHAKE CONTROL signal to the host com- 
puter, and FIFO register 100 receives on an input termi- 
nal 126 through a voltage level converter 128 a 
TRANSMIT HANDSHAKE CONTROL signal from 
the host computer. The two handshake control signals 
coordinate the data transfer between the serial digital 
signal input and output ports of the host computer and 
COMDAP 14. FIFO register 98 receives on a conduc- 
tor 130 of cable assembly 16 a TAP BUSY signal from 
FIFO register 64 whenever TAP 12 is providing infor- 
mation to or receiving information from CPU 28. Simi- 
larly, FIFO register 100 delivers on a conductor 132 of 
cable assembly 16 a COMDAP BUSY signal whenever 
COMDAP 14 is processing an instruction and is un- 
available for receiving data from data transmit shift 
register 62 of TAP 12. 

EPROM 46 provides on multiple output conductors 
134 command signals for configuring the data pathway 
structures of logic cell arrays 24 and 44 and address and 
data signals for loading the operations program in RAM 
34. All of these functions occur upon initial application 
of electrical power to debugging instrument 10. 

FIG. 5 is a block diagram showing the functions 
implemented in software for processing command sig- 
nals sent to the target circuit and for processing data 
signals developed by the target circuit in response to 
such commands. Debugging instrument 10 operates in 
association with a host computer that is implemented 
with windowed, source-level debugging software. The 
debugging software provides command signals that 
debugging instrument 10 processes and delivers to a 
target circuit to provide a software engineer with the 
capability of solving run-time problems. 

A preferred embodiment of debugging instrument 10 
is designed for use in debugging a target circuit con- 
trolled by an Intel ®) 80386 32-bit microprocessor. A 
preferred source-level debugging software program is 
the VALIDATE @)/Soft-Scope III ® 386, which to- 
gether with Pharlap 386 ASM/Linkloc assembly soft- 
ware, supports Intel OMF-compatible languages, Mi- 
croSoft ® C, and most compilers. The preferred em- 
bodiment of debugging instrument 10 provides a soft- 
ware engineer with a fully transparent window into the 
internal functioning of the Intel ®) 80386 microproces- 
sor when executing software code instructions in the 
target environment. 

With reference to FIG. 5, an application software 
driver 150 of the host computer provides a set of com- 
mand signals, referred to as a set of “C calls,” in accor- 
dance with the debugging software applications pro- 
gram. The C calls are delivered to an ASCII Remote 
Control Driver (““ARCD”) 152, which interprets the C 
calls and conditions them to a format that is compatible 
for transmission to COMDAP 14. ARCD 152 interprets 
the C calls as commands having command codes and 
command fields. A command code is a standard ASCH 
character (7-bit ASCII code), such as “M” for a mem- 
ory write command and “m” for a memory read com- 
mand. The command code may be followed by one or 
more field codes. 

The basic command protocol of ARCD 152 is the 
receipt of a C call from the host computer and the re- 
ceipt of a response delivered by debugging instrument 
10 from the target circuit. The commands interpreted 
by ARCD 152 are delivered to a serial port 154 in- 
cluded within the host computer hardware for transmis- 
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sion as serial digital signals on a conductor 156 of the 
RS-232 communications link 18 to TAP 12 by way of 
COMDAP 14. The commands received by TAP 12 are 
processed in accordance with an operations program 
initially stored in EPROM 46 of COMDAP 14 and 
transferred to RAM 34 of TAP 12 upon initial applica- 
tion of electrical power. 

The ICE program stored in RAM 34 effectively sub- 
stitutes for the target program provided in the target 
circuit whenever debugging instrument 10 takes control 
of the target circuit operation. In FIG. 5, process block 
160 represents the translation by the ICE program 
stored in RAM 34 of a command in ASCII format to 
binary format for use by the Intel®) 80386 micro- 
processor-based target circuit. Process block 162 repre- 
sents the decoding of the command, and process block 
164 represents various exemplary functions such as 
configure data base, execute breakpoint data base or 
single step instruction analysis, access memory, and 
access register that a particular command could entail. 
Process block 166 represents the register table assem- 
bled specifically for the Inte] ® 80386 microprocessor, 
and indicates in broken lines additional separate register 
tables custom arranged in additional memory space for 
selective use with microprocessors of different types. 

FIG. 6 is a flow diagram showing the sequence of 
operations debugging instrument 10 carries out to en- 
able debugging of a target circuit. With reference to 
FIG. 6, process block 200 represents the initial applica- 
tion of electrical power to debugging instrument 10. 

Process block 202 indicates that, immediately after 
application of electrical power, the command signals 
required to configure logic cell arrays 44 and 24 of 
COMDAP 14 and TAP 12, respectively, are sequen- 
tially read out from the memory sites that correspond to 
the lowest order addresses (starting at hexadecimal 
0000) of EPROM 46. 

Once logic cell arrays 24 and 44 are properly config- 
ured to operate with the particular host computer and 
CPU 28 in use, the contents of one-half of the memory 
sites that correspond to the highest order addresses 
(hexadecimal 8000-FFFF) of EPROM 46 are down- 
loaded to RAM 34, as indicated by process block 204. 
The information transfer to RAM 34 is the firmware 
representing the ICE program of TAP 12. (In a pre- 
ferred embodiment, EPROM 46 has a 64K-byte storage 
capacity but RAM 34 has a 32K-byte storage capacity, 
thereby providing TAP 12 with memory expansion 
capability.) The above-described operations are ef- 
fected by means of conventional hardware techniques 
for initializing computer-based electronic circuitry. 

Process block 206 represents the application of a 
logic 1 state on RESET conductor 78 and a logic 0 state 
on BREAK conductor 76 of CPU 28 to reset its pro- 
gram counter to the restart vector, which is defined in 
the Intel @ 80386 specifications. 

Process block 208 indicates the application of a logic 
0 state to RESET conductor 78 and a logic I state to 
BREAK conductor 76 will cause CPU 28 to dump the 
contents of the target CPU registers to ICE memory 
space in RAM 34, which ICE memory space begins at 
hexadecimal address 60000. The result is that RAM 34 
stores the contents of the target CPU registers before 
the target operations program has an opportunity to run 
and before the ICE program runs the target circuit. 
This allows the software engineer to step through the 
registers and inspect their contents. 
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Process block 210 indicates that applying a logic 1 
state on BREAK conductor 76 causes CPU 28 to run on 
the ICE program stored in RAM 34. This assumes a 
preexisting condition of debugging instrument 10 oper- 
ating on the target program, which operation requires a 
logic 0 state on BREAK conductor 76. 

Process block 212 indicates that the software engi- 
neer can at this stage download a different target pro- 
gram, if the software engineer so desires. 

Debugging instrument 10 performs emulation func- 
tions on a target circuit controlled by CPU 28, which in 
a preferred embodiment is an Intel ®) 80386 32-bit mi- 
croprocessor. To provide a capability for complete 
transparency during the emulation process, debugging 
instrument 10 takes advantage of three signal features 
provided by emulation hardware integrated within the 
Intel (®) 80386 chip (but not bonded out to the CPU 
pins) and of certain undocumented instructions. Appli- 
cants have identified the signal features as IADS, 
IRDY, and BREAK and have identified the undocu- 
mented instructions as LOADALL and four MOV 
instructions. (The term “undocumented” refers to in- 
structions implemented in the Intel®) 80386 micro- 
processor but not mentioned in its specification sheets.) 

The IADS (‘in-circuit emulation address strobe”) 
and IRDY (“‘in-circuit emulation ready”’) signals imple- 
ment an additional 4 Gigabyte address space, which is 
available as an alternative to, and an image of, the nor- 
mal 4 Gigabyte address space dedicated for use by the 
software engineer. This additional memory space is 
referred to herein as “ICE memory space” and repre- 
sents memory sites in RAM 34. To access ICE memory 
space, the Intel ®) 80386 microprocessor generates an 
IADS signal instead of the documented normal ADS 
signal. The appropriate ICE memory sites respond to 
the receipt of the IADS signal by generating an IRDY 
signal, instead of the documented normal RDY signal 
dedicated to the target memory system. 

There are several ways to cause the Intel @) 80386 
microprocessor to generate addresses in the ICE mem- 
ory space. One way is to apply to BREAK conductor 
76 a logic 0 state, which suspends execution of the tar- 
get program and commences execution of instructions 
stored in ICE memory space at the restart vector, be- 
ginning at hexadecimal address FFFFFFFO. Applying 
a logic 0 state to BREAK conductor 76 also saves in a 
LOADALL area of ICE memory space the contents of 
the Intel @ 80386 microprocessor registers at the point 
of transfer to ICE memory space. (This can be consid- 
ered asa “SAVEALL.” instruction for storing the cur- 
rent microprocessor state in the LOADALL area.) 
Thus, the current microprocessor state in the target 
program execution remains available for inspection, 
later resumption of the target program, or modification 
as desired. The BREAK signal allows, therefore, the 
software engineer to seize contro] of the target pro- 
gram. 

Executing the undocumented LOADALL instruc- 
tion, whose opcode is OFO7, transitions the Intel ® 
80386 microprocessor from ICE memory space to tar- 
get memory space. Before entering target memory 
space by executing a LOADALL instruction, break- 
points need to be set to acquire control of CPU 28 at the 
appropriate time during target code execution. One 
method is to set software breakpoints, such as an in- 
struction that, when executed, will cause a BREAK to 
ICE memory space. In the Intel ® 80386, this instruc- 
tion has a single opcode “‘F1” that when executed saves 
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the target CPU states in the LOADALL area of ICE 
Memory space, as was described above. Another 
method is to set bit number 12 of the DEBUG register 
DR7 to a logic 1 state. This causes the hardware break- 
point feature of the Intel ® 80386 to BREAK to ICE 
memory space rather than to target memory space. 

Whenever a hardware or software breakpoint occurs, 
CPU 28 will dump the contents of the CPU internal 
registers to the LOADALL area, starting at hexadeci- 
mal address 60000, and then proceed to the RESTART 
vector and begin execution. 

In summary, executing the LOADALL instruction 
transitions the Intel ® 80386 microprocessor from ICE 
memory space to target memory space. Effecting a 
BREAK condition (i.e., executing SAVEALL) causes 
storage of the entire state of the Intel @ 80386 micro- 
processor in the LOADALL area of ICE memory 
space. The target program can be resumed by executing 
the undocumented LOADALL instruction. Effecting a 
BREAK condition causes, therefore, a SAVEALL of 
the microprocessor state to ICE memory address 60000 
and begins execution in ICE memory space at 
FFFFFFFO. The SAVEALL/LOADALL capability 
of the Intel ® 80386 microprocessor loads the entire 
microprocessor state, including “invisible” descriptor 
caches, from ICE memory addresses 60000 to 60127. 

Table 1 below identifies the hexadecimal addresses 
for the target CPU register contents stored in the LOA- 
DALL area of ICE memory space. 


TABLE 1 
Address Microprocessor Register 
60000 CRO 
60004 EFLAGS 
60008 EIP 
6000C EDI 
60010 ESI 
60014 EBP 
60018 ESP 
6001C EBX 
60020 EDX 
60024 ECX 
60028 EAX 
6002C DR6 
60030 DR7 
60034 TR 
60038 LDTS 
6003C GS 
60040 FS 
60044 DS 
60048 ss 
6004C cs 
60050 ES 
60054 TSS Attributes 
60058 TSS BASE 
6005C TSS LIMIT 
60060 IDT Attributes 
60064 IDT BASE 
60068 IDT LIMIT 
6006C GDT Attributes 
60070 GDT BASE 
60074 GDT LIMIT 
60078 LDT Attributes 
6007C LDT BASE 
60080 LDT LIMIT 
60084 GS Attributes 
60088 GS BASE 
6008C GS LIMIT 
60090 FS Attributes 
60094 FS BASE 
60098 FS LIMIT 
6009C DS Attributes 
600A0 DS BASE 
600A4 DS LIMIT 
600A8 SS Attributes 
600AC SS BASE 
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TABLE 1-continued 


Address Microprocessor Register 

600B0 SS LIMIT 

600B4 CS Attributes 

600B8 CS BASE 

600BC CS LIMIT 

600C0 ES Attributes 

600C4 ES BASE 

600C8 ES LIMIT 

60100 Attributes of selector 
recently loaded 

60104 undefined 

60108 Destination EIP of 
last IMP FAR 

6010C undefined 

60110 undefined 

60114 undefined 

60118 undefined 

6011C undefined 

60120 undefined 

60124 VEIP Value of virtual EIP 


The information in Table 1 enables the software engi- 
neer to examine the state of the CPU registers and alter 
their contents, if desired. 

The four undocumented MOV instructions perform 
target memory read and write operations from ICE 
memory address space. A set of possible mnemonics for 
these four instructions for inclusion in an Intel ® 80386 
microprocessor disassembler, together with their op- 
codes and descriptions are summarized below in Table 


2. 
TABLE 2 

Opcode Instruction Description 

OF 10 /r MVTGT r/m8,r8 Move Byte to target 
address r/m 

OF 11 /r MVTGT r/m32,132 Move Dword to target 
address r/m 

OF 12 /r MVTGT r8,r/m8 Move Byte from target 
address r/m 

OF 13 /r MVTGT 132,r/m32 Move Dword from 


target address r/m 


In Table 2, ‘/r” specifies the effective address and 
“r/m” specifies the effective address in target memory 
space. The mnemonic “MVTGT” refers to “MOV to 
target space,” and the terms “Byte” and “Dword” refer 
to 8-bit data and 32-bit data, respectively. (All addresses 
are 32 bits in length.) The above instructions work 
properly in the protect mode of the Intel ® 80386 mi- 
croprocessor. Persons having ordinary skill in the art 
would appreciate the relationship of these instructions 
to the operation of the Intel ®) 80386. 

FIG. 7 shows for RAM 34 the memory map summa- 
rizing the starting addresses in ICE memory space for 
information stored in response to execution of the uni- 
dentified signal features and undocumented instruc- 
tions. The address assignments in memory space for 
protect mode code, protect mode stack, and protect 
mode data are optional. Other optional address assign- 
ments are real mode boot code, which refers to the 
starting address at initial application of electrical power, 
and HS (“high-speed”) serial port locations, which refer 
to memory sites from which data and instructions are 
transferred between the host computer and debugging 
instrument 10. 

FIG. 8 shows a diagram of the topology of the In- 
tel ® 80386 microprocessor chip for accomplishing a 
bond out of the IADS, IRDY, and BREAK signal 
features to the CPU pins. With reference to FIG. 8, 
arrows 13E and 13F in DETAIL C and arrow 7C in 
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DETAIL A designate the areas for placement of bond- 
out wires (shown as broken lines) for the IADS, IRDY, 
and BREAK signal features, respectively. 

It will be obvious to those having skill in the art that 
many changes may be made to the details of the above- 
described preferred embodiment of the present inven- 
tion without departing from the underlying principles 
thereof. As a first example, the debugging instrument 
can be adapted for use with target circuits controlled by 
a CPU other than an Intel ® 80386 microprocessor. 
Depending on the type of CPU, different program in- 
structions may be required to provide the fully transpar- 
ent window into the internal functioning of the TAP 
CPU while executing code in the target circuit environ- 
ment. As a second example, the programmable logic 
cell arrays may be replaced by individual digital circuit 
components electrically interconnected to achieve the 
functions described herein. The scope of the present 
invention should, therefore, be determined only by the 
following claims. 

We claim: 

1. An instrument for testing and verifying the opera- 
tional performance of a target computer system in the 
electrical absence of a target CPU having input and 
output terminal positions at which respective specified 
target CPU input and output signals appear, the instru- 
ment comprising: 

target access probe (“TAP”) means including a TAP 
CPU receiving target CPU input signals and deliv- 
ering target CPU output signals for controlling the 
execution of software code on the target computer 
system in accordance with command signals pro- 
vided by a host analysis code source, the TAP 
means including TAP signal routing means for 
routing the command signals to the TAP CPU; 

a communications adapter (“COMDAP”) that pro- 
vides an interface between the host analysis code 
source and the TAP means, the COMDAP includ- 
ing COMDAP memory means having memory 
sites that store information for configuring signal 
paths within the COMDAP; and 

data communication linking means for providing a 
data communication link between the TAP means 
and the COMDAP. 

2. The instrument of claim 1 in which the COMDAP 
memory means is of a reprogrammable type, thereby 
providing a capability of storing information for config- 
uring different signal paths within the COMDAP to 
enable writing command signals delivered by host anal- 
ysis code sources of different types. 

3. The instrument of claim 1 in which the TAP signal 
routing means comprises a TAP logic cell array and in 
which each of the TAP logic cell array and the COM- 
DAP memory means is of a reprogrammable type, the 
COMDAP memory means being adaptable for storing 
information for configuring signal paths within the 
TAP logic cell array. 

4. The instrument of claim 3 in which the TAP means 
further comprises a TAP memory having memory sites 
that store instructions carried by command signals de- 
livered by the COMDAP and routed through the TAP 
logic cell array. 

5. The instrument of claim 4 in which the TAP mem- 
ory is of a random access memory type. 

6. The instrument of claim 4 in which the COMDAP 
memory means and the TAP memory are in signal com- 
munication with each other and the instructions stored 
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in the COMDAP memory sites are transferred to the 
TAP CPU at the time electrical power is initially ap- 
plied to the instrument. 

7. The instrument of claim 1 in which the TAP means 
and COMDAP are physically separate and in which the 
data communication linking means includes multiple 
electrically insulated conductors that carry the com- 
mand signals between the TAP means and the COM- 
DAP. 

8. The instrument of claim 7 in which the conductors 
are configured to form a flat cable assembly. 

9. A target access probe (“TAP”) for connecting to a 
target circuit that includes a target CPU communicat- 
ing with a target program memory having memory sites 
that store main program instructions for exercising of 
target circuit components, the target CPU having input 
and output terminal positions at which respective speci- 
fied target CPU input and output signals appear, the 
TAP testing and verifying the operational performance 
of the target circuit in response to host command signals 
provided by a host computer in the electrical absence of 
the target CPU and comprising: 

a TAP CPU receiving target CPU input signals at the 
input terminal positions and delivering target CPU 
output signals at the output terminal positions; 

in-circuit emulation (“ICE”) means including ICE 
program memory sites that store ICE program 
instructions and communicating with the TAP 
CPU for producing the target CPU output signals 
in accordance with the ICE program instructions 
executed by the TAP CPU in response to the host 
command signals, the ICE program instructions 
including an instruction for transferring opera- 
tional control of the TAP CPU from the target 
program to the ICE program and instructions for 
reading information from or writing information 
into target program memory sites; 

a TAP signal routing integrated circuit for configur- 
ing signal paths within the TAP; and 

input and output signal link means for providing a 
signal link to and from the host computer for the 
target CPU input and output signals; 

whereby the ICE means resides wholly outside of the 
target circuit and the delivery of the target CPU 
input signals to the corresponding target CPU 
input terminal positions and the delivery of the 
target CPU output signals to the corresponding 
target CPU output positions in response to the host 
command signals provide a capability for testing 
and verifying the performance of the target circuit 
in accordance with the ICE program instructions 
independently of the target program stored therein. 

10. The TAP of claim 9 in which the TAP CPU 
produces an ICE address strobe signal that enables 
access to the ICE program memory sites. 

11. The TAP of claim 10 in which the ICE program 
memory sites respond to the receipt of the ICE address 
strobe signal by delivering an ICE ready signal to the 
TAP CPU. 

12. The TAP of claim 9 in which the TAP CPU 
produces a break signal that suspends execution of in- 
structions stored in the main program memory sites and 
commences execution of instructions stored in the ICE 
program memory sites. 

13. The TAP of claim 9 in which the TAP signal 
routing integrated circuit is of a programmable type. 

14. The TAP of claim 9 in which the TAP signal 
routing integrated circuit comprises a logic cell array. 
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15. The TAP of claim 14 in which the TAP signal 
routing integrated circuit comprises a reprogrammable 
logic cell array. 

16. An instrument for testing and verifying the opera- 
tional performance of a target computer system in the 
electrical absence of a target CPU having input and 
output terminal positions at which respective specified 
target CPU input and output signals appear, the instru- 
ment comprising: 

target access probe (“TAP”) means including a TAP 
CPU receiving target CPU input signals and deliv- 
ering target CPU output signals for controlling the 
execution of software code on the target computer 
system in accordance with command signals pro- 
vided by a host analysis code source; 

a communications adapter (“COMDAP”’) that coop- 
erates with the TAP means to provide an interface 
between the host analysis code source and the TAP 
means, the COMDAP including a COMDAP 
memory having memory sites that store informa- 
tion for configuring signal paths within the COM- 
DAP; and 

data communication linking means for providing a 
data communication link between the TAP means 
and the COMDAP, the data communication link 
including handshake signals that indicate to the 
COMDAP whether the TAP means is available to 
provide data to the COMDAP and to the TAP 
means whether the COMDAP is available to re- 
ceive data from the TAP means. 

17. An instrument for testing and verifying the opera- 
tional performance of a target computer system in the 
electrical absence of a target CPU having input and 
output terminal positions at which respective specified 
target CPU input and output signals appear, the instru- 
ment comprising: : 

target access probe (“TAP”) means including a TAP 
CPU receiving target CPU input signals and deliv- 
ering target CPU output signals for controlling the 
execution of software code on the target computer 
system in accordance with command signals pro- 
vided by a host analysis code source; 

a communications adapter (““COMDAP”’) that coop- 
erates with the TAP means to provide an interface 
between the host analysis code source and the TAP 
means; 

a signal routing integrated circuit operatively associ- 
ated with one of the TAP means and COMDAP to 
configure signal paths within the one of the TAP 
means and COMDAP; and 

data communication linking means for providing a 
data communication link between the TAP means 
and the COMDAP, the data communication link 
including handshake signals that indicate to the 
COMDATP whether the TAP means is available to 
provide data to the COMDAP and to the TAP 
means whether the COMDAP is available to re- 
ceive data from the TAP means. 

18. The instrument of claim 17 in which the signal 

routing integrated circuit is of a programmable type. 

19. The instrument of claim 18 in which the signal 
routing integrated circuit comprises a logic cell array of 
a reprogrammable type. 

20. The instrument of claim 17 in which the signal 
routing integrated circuit comprises a logic cell array. 

21. An instrument for testing and verifying the opera- 
tional performance of a target computer system in the 
electrical absence of a target CPU having input and 
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output terminal positions at which respective specified 
target CPU input and output signals appear, the instru- 
ment comprising: 

target access probe (“TAP”) means including a TAP 
CPU receiving target CPU input signals and deliv- 
ering target CPU output signals for controlling the 
execution of software code on the target computer 
system in accordance with command signals pro- 
vided by a host analysis code source, the TAP 
means further including TAP signal path configur- 
ing memory sites that store information for config- 
uring signal paths within the TAP means; 

a communications adapter (““COMDAP”) that coop- 
erates with the TAP means to provide an interface 
between the host analysis code source and the TAP 
means; and 

data communication linking means for providing a 
data communication link between the TAP means 
and the COMDAP, the data communication link 
including handshake signals that indicate to the 
COMDAP whether the TAP means is available to 
provide data to the COMDAP and to the TAP 
means whether the COMDAP is available to re- 
ceive data from the TAP means. 

22. A target access probe (“TAP”) for connecting to 

a target circuit that includes a target CPU communicat- 
ing with a target program memory having memory sites 
that store main program instructions for exercising of 
target circuit components, the target CPU having input 
and output terminal positions at which respective speci- 
fied target CPU input and output signals appear, the 
TAP testing and verifying the operational performance 
of the target circuit in response to host command signals 
provided by a host computer in the electrical absence of 
the target CPU and comprising: 

a TAP CPU receiving target CPU input signals at the 
input terminal positions and delivering target CPU 
output signals at the output terminal positions; 

in-circuit emulation (“ICE”) means including ICE 
program memory sites that store ICE program 
instructions and communicating with the TAP 
CPU for producing the target CPU output signals 
in accordance with the ICE program instructions 
executed by the TAP CPU in response to the host 
command signals, the ICE program instructions 
including an instruction for transferring opera- 
tional control of the TAP CPU from the target 
program to the ICE program and instructions for 
reading information from or writing information 
into target program memory sites; 

a TAP signal path configuration memory having 
memory sites that store information for configuring 
signal paths within the TAP; and 

input and output signal link means for providing a 
signal link to and from the host computer for the 
target CPU input and output signals; 

whereby the ICE means resides wholly outside of the 
target circuit and the delivery of the target CPU 
input signals to the corresponding target CPU 
input terminal positions and the delivery of the 
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target CPU output signals to the corresponding 
target CPU output positions in response to the host 
command signals provide a capability for testing 
and verifying the performance of the target circuit 
in accordance with the ICE program instructions 
independently of the target program stored therein. 

23. An instrument for testing and verifying the opera- 
tional performance of a target computer system in the 
electrical absence of a target CPU having input and 
output terminal positions at which respective specified 
target CPU input and output signals appear, the instru- 
ment comprising: 

target access probe (“TAP”) means including a TAP 
CPU receiving target CPU input signals and deliv- 
ering target CPU output signals for controlling the 
execution of software code on the target computer 
system in accordance with command signals pro- 
vided by a host analysis code source; 

a communications adapter (““COMDAP”) that pro- 
vides an interface between the host analysis code 
source and the TAP means; 

a signal routing integrated circuit operatively associ- 
ated with one of the TAP means and COMDAP to 
configure signal paths within the one of the TAP 
means and COMDAP; and 

data communication linking means for providing a 
data communication link between the TAP means 
and the COMDAP. 

24. The instrument of claim 23 in which the signal 

routing integrated circuit is of a programmable type. 

25. The instrument of claim 24 in which the signal 
routing integrated circuit includes a reprogrammable 
logic cell array. 

26. The instrument of claim 25 in which the TAP 
means further comprises a TAP signal path configura- 
tion memory including memory sites that store informa- 
tion for configuring signal paths within the TAP. 

27. The instrument of claim 23 in which the signal 
routing integrated circuit includes a logic cell array. 

28. The instrument of claim 23 in which the TAP 
means and COMDAP are physically separate and in 
which the data communication linking means includes 
multiple electrically insulated conductors that carry the 
command signals between the TAP means and the 
COMDAP. 

29. The instrument of claim 23 in which the TAP 
means further comprises a TAP instruction memory 
having memory sites that store instructions carried by 
command signals. 

30. The instrument of claim 29 in which the TAP 
memory is of a random access memory type. 

31. The instrument of claim 23 in which the signal 
routing integrated circuit is operatively associated with 
the TAP means. 

32. The instrument of claim 23 in which the COM- 
DAP includes a COMDAP memory having memory 
sites that store information for configuring the signal 
paths within the COMDAP. 
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